[f2fs-dev] Patch "fscrypt: fix race allowing rename() and link() of ciphertext dentries" has been added to the 4.19-stable tree

Sun, 01 Nov 2020 02:40:02 -0800 


This is a note to let you know that I've just added the patch titled

    fscrypt: fix race allowing rename() and link() of ciphertext dentries

to the 4.19-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fscrypt-fix-race-allowing-rename-and-link-of-ciphertext-dentries.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From foo@baz Sun Nov  1 11:35:18 AM CET 2020
From: Eric Biggers <[email protected]>
Date: Sat, 31 Oct 2020 15:05:50 -0700
Subject: fscrypt: fix race allowing rename() and link() of ciphertext dentries
To: [email protected]
Cc: [email protected], [email protected], 
[email protected], [email protected], Theodore 
Ts'o <[email protected]>
Message-ID: <[email protected]>

From: Eric Biggers <[email protected]>

commit 968dd6d0c6d6b6a989c6ddb9e2584a031b83e7b5 upstream.

Close some race conditions where fscrypt allowed rename() and link() on
ciphertext dentries that had been looked up just prior to the key being
concurrently added.  It's better to return -ENOKEY in this case.

This avoids doing the nonsensical thing of encrypting the names a second
time when searching for the actual on-disk dir entries.  It also
guarantees that DCACHE_ENCRYPTED_NAME dentries are never rename()d, so
the dcache won't have support all possible combinations of moving
DCACHE_ENCRYPTED_NAME around during __d_move().

Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 fs/crypto/hooks.c               |   12 +++++++++++-
 include/linux/fscrypt.h         |    2 +-
 include/linux/fscrypt_notsupp.h |    4 ++--
 include/linux/fscrypt_supp.h    |    3 ++-
 4 files changed, 16 insertions(+), 5 deletions(-)

--- a/fs/crypto/hooks.c
+++ b/fs/crypto/hooks.c
@@ -49,7 +49,8 @@ int fscrypt_file_open(struct inode *inod
 }
 EXPORT_SYMBOL_GPL(fscrypt_file_open);
 
-int __fscrypt_prepare_link(struct inode *inode, struct inode *dir)
+int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
+                          struct dentry *dentry)
 {
        int err;
 
@@ -57,6 +58,10 @@ int __fscrypt_prepare_link(struct inode
        if (err)
                return err;
 
+       /* ... in case we looked up ciphertext name before key was added */
+       if (dentry->d_flags & DCACHE_ENCRYPTED_NAME)
+               return -ENOKEY;
+
        if (!fscrypt_has_permitted_context(dir, inode))
                return -EXDEV;
 
@@ -78,6 +83,11 @@ int __fscrypt_prepare_rename(struct inod
        if (err)
                return err;
 
+       /* ... in case we looked up ciphertext name(s) before key was added */
+       if ((old_dentry->d_flags | new_dentry->d_flags) &
+           DCACHE_ENCRYPTED_NAME)
+               return -ENOKEY;
+
        if (old_dir != new_dir) {
                if (IS_ENCRYPTED(new_dir) &&
                    !fscrypt_has_permitted_context(new_dir,
--- a/include/linux/fscrypt.h
+++ b/include/linux/fscrypt.h
@@ -97,7 +97,7 @@ static inline int fscrypt_prepare_link(s
                                       struct dentry *dentry)
 {
        if (IS_ENCRYPTED(dir))
-               return __fscrypt_prepare_link(d_inode(old_dentry), dir);
+               return __fscrypt_prepare_link(d_inode(old_dentry), dir, dentry);
        return 0;
 }
 
--- a/include/linux/fscrypt_notsupp.h
+++ b/include/linux/fscrypt_notsupp.h
@@ -183,8 +183,8 @@ static inline int fscrypt_file_open(stru
        return 0;
 }
 
-static inline int __fscrypt_prepare_link(struct inode *inode,
-                                        struct inode *dir)
+static inline int __fscrypt_prepare_link(struct inode *inode, struct inode 
*dir,
+                                        struct dentry *dentry)
 {
        return -EOPNOTSUPP;
 }
--- a/include/linux/fscrypt_supp.h
+++ b/include/linux/fscrypt_supp.h
@@ -184,7 +184,8 @@ extern int fscrypt_zeroout_range(const s
 
 /* hooks.c */
 extern int fscrypt_file_open(struct inode *inode, struct file *filp);
-extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir);
+extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
+                                 struct dentry *dentry);
 extern int __fscrypt_prepare_rename(struct inode *old_dir,
                                    struct dentry *old_dentry,
                                    struct inode *new_dir,


Patches currently in stable-queue which might be from [email protected] are

queue-4.19/fscrypt-only-set-dentry_operations-on-ciphertext-dentries.patch
queue-4.19/fscrypt-clean-up-and-improve-dentry-revalidation.patch
queue-4.19/fscrypt-fix-race-allowing-rename-and-link-of-ciphertext-dentries.patch
queue-4.19/fs-fscrypt-clear-dcache_encrypted_name-when-unaliasing-directory.patch
queue-4.19/fscrypt-fix-race-where-lookup-marks-plaintext-dentry-as-ciphertext.patch


_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to